OpenVPN, Easy Root Certificate Reissue

    Good day. The background is as follows: ten years ago, I raised the infrastructure of a network of mobile communication salons, distributed across the region. As an accounting solution, the 1C: Enterprise 7.7 system was used in the distributed database mode. For data exchange, a regular windows network folder was used, access to which was through the OpenVPN tunnel. And once a week ago, the exchange of information between the center and the periphery completely stopped. For some reason, the thought crept in at once - did ten years have passed (it was for this period that the root certificate was made). The analysis of the logs confirmed the problem, the scheme worked well for these ten years, but the deadline came. And now what, to regenerate the entire volume of client and server keys / certificates ??? No, you can do a little easier ...

    We allow OpenSSL to reissue the certificate and sign it with the old private key, while maintaining the structure of the Modulus certificate and the new certificate successfully validates the old client certificates.

    Create a new certificate:

    openssl x509 -in ca.crt -days 3650 -out ca-new.crt -signkey ca.key

    We get the answer:

    Getting Private key

    and a new certificate ca-new.crt

    Let's verify the client certificate with a new root certificate:

    openssl verify -CAfile ca-new.crt client9.crt

    All is well:

    client9.crt: OK

    With the following command, you can view the contents of the certificate and verify that the new and old Modulus certificates are the same:

    openssl x509 -noout -text -in ca-new.crt

    Everything seems to be very good, we send out a new certificate, after renaming it in the image of the old one with instructions to the user where to put it (overwrite the old one).

    We restart the service on the server and see how the clients connect. Unfortunately, not all clients have done this successfully. Some received in the log:

    Tue Mar 21 15:12:18 2017 VERIFY ERROR: depth=1, error=certificate signature failure: /C=RU...

    Here, I had to lose several hours, as a result, it turned out that client certificate verification did not work on client computers either:

    openssl verify -CAfile ca-new.crt client9.crt

    The openssl version (as part of OpenVPN) turned out to be old and did not want to check successfully.

    Accordingly, problematic clients had to upgrade OpenVPN to version 2.3.3 (I used this one, I can’t say anything about others, but I believe that newer versions will also behave positively) and the system has been sent for another 10 years.

    Only registered users can participate in the survey. Please come in.

    Did you know that this is possible?

    • 16.5% Yes 17
    • 87.3% No 90

    Also popular now: